Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort and blocking access to cctv system

    Scheduled Pinned Locked Moved IDS/IPS
    5 Posts 3 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      techy82
      last edited by

      I have been able to connect from my mobile to my camera system fine up until i installed snort

      I have suppressed the entry, but the port seems to change often, how can i change it so it is never blocked by snort?

      Thanks

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by

        @techy82:

        I have been able to connect from my mobile to my camera system fine up until i installed snort

        I have suppressed the entry, but the port seems to change often, how can i change it so it is never blocked by snort?

        Thanks

        This does not make sense.  Do you mean the IP changes often perhaps?  You can suppress by IP, IP range or an entire network block.  You could also just disable the offending rule.

        Bill

        1 Reply Last reply Reply Quote 0
        • T
          techy82
          last edited by

          I have suppressed several of the actual rules, but after a while the app seems to cause snort to flag another type of rule and I have to suppress it again, I have put 3 in place so far

          1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks
            last edited by

            Oh…OK.  That is the nature of some of Snort's aggressiveness with enforcing HTTP_INSPECT compliance (mostly).  Are the blocks happening from those kinds of rules (the HTTP_INSPECT preprocessor)?  If so, I suggest disabling all of the HTTP_INSPECT rules that fire.  Many legitimate web sites today will run afoul of the strict RFC compliance those rules attempt to enforce.

            If you suppress by IP and your CCTV cameras always have the same IP, then you should not get further blocks.  It will take a little time for you to find and fix the false positives, though.  There is no such thing in IDS/IPS as "turn it on and forget about it".  You always must tune and filter the rule set for a particular environment.

            Bill

            1 Reply Last reply Reply Quote 0
            • MikeV7896M
              MikeV7896
              last edited by

              The way I set mine up at home was without blocking mode enabled for a few weeks. That way nothing was actually getting blocked when an alert was triggered. I would of course need to check all alerts, and fortunately all were not major. I think I suppressed like 13 or 14 rules over the course of the non-blocking period, and when I didn't see any further alerts for a week, I put it in blocking mode. Most of the ones I suppressed were HTTP or HTTPS related, though I did also get a couple of SIP ones since my VoIP provider breaks the caller ID length (they add the country code to the number, making it longer than normal).

              Of course, like I mentioned, my setup is at a home and not a business… but you should be able to do something similar there too. Just keep an eye on the alerts a little more often during the non-blocking period and make sure they're harmless before you suppress them.

              The S in IOT stands for Security

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.